Annual Report for Fiscal Year 2016-2017 Report Number: S-1718-16 September 29, 2017 Eric M. Larson State CIO/Executive Director Tabitha A. McNulty Inspector General
Rick Scott Governor State of Florida Agency for State Technology 4050 Esplanade Way, Suite 115 Tallahassee, FL 32399-0950 Tel: 850-412-6050 Eric M. Larson State CIO/Executive Director Tabitha A. McNulty Inspector General September 29, 2017 Eric M. Larson, State CIO/Executive Director Agency for State Technology 4050 Esplanade Way, Suite 115 Tallahassee, Florida 32399-0905 Eric W. Miller, Chief Inspector General Executive Office of the Governor The Capitol, Suite 1902 Tallahassee, Florida 32399-0001 Dear State Chief Information Officer Larson and Chief Inspector General Miller: I am pleased to submit the s Annual Report for the fiscal year ending June 30, 2017, as required by section 20.055, Florida Statutes. This report highlights the accomplishments, findings, and recommendations of activities completed during the 2016-2017 fiscal year. I look forward to continuing to work with both of you and the opportunities the current fiscal year presents as we move forward in ensuring accountability, integrity, efficiency, and effectiveness in fulfilling the Agency s mission and strategic goals. Thank you for your continued support of the Agency s. Sincerely, Tabitha A. McNulty, CISA, CIG, CIGA Inspector General TAM cc: Sherrill F. Norman, CPA Florida Auditor General
Table of Contents Introduction and Background... 1 Agency for State Technology Responsibilities... 1 Responsibilities... 2 Organizational Profile... 3 Staff Qualifications... 3 Continuing Professional Education and Development... 3 Major Functions within the... 4 Investigations... 4 Internal Audit... 5 Accomplishments... 6 Summary of Projects... 6 Audit Activities... 6 Investigation Activities... 7 Other Items... 7 Annual and Long-term Work Plans... 8 Annual Work Plan... 8 Long-term Work Plan... 10 S-1718-16 Page i
Introduction and Background Section 20.055, Florida Statutes, requires that each Governor s agency inspector general submit to the agency head and the Chief Inspector General an annual report, no later than September 30 of each year. The report summarizes activities during the preceding state fiscal year. The report includes, but is not limited to the following: Summary of each audit and investigation completed during the reporting period; Description of significant abuses and deficiencies relating to the administration of programs and operations of the agency disclosed by investigations, audits, reviews, or other activities during the reporting period; and Description of recommendations for corrective action made by the Office of Inspector General (OIG) during the reporting period with respect to significant problems, abuses, or deficiencies identified. This report is presented to the State Chief Information Officer/Executive Director (State CIO) and the Chief Inspector General in accordance with the statutory requirement. Agency for State Technology Responsibilities The Agency for State Technology (Agency) was created in July 2014 and consolidated the Northwood and Southwood Shared Resource Centers to become the State Data Center. The Agency was given the following duties and functions: Develop and publish information technology policy for the management of the state s information technology resources; Establish and publish technology architecture standards and assist state agencies with compliance with the standards; Establish project management and oversight standards for state agencies to use when implementing information technology projects; Perform project oversight on all state agency information technology projects that have a total cost of $10 million or more; S-1718-16 Page 1
Identify opportunities for standardization and consolidation of information technology services; and In collaboration with the Department of Management Services, establish best practices for the procurement of information technology products, and participate in evaluating, conducting and negotiating competitive solicitations for state term contracts for information technology commodities, consultant services, or staff augmentation. Responsibilities The OIG s mission is to assist the State CIO and Agency management in achieving success through technology by using a systematic, disciplined approach to evaluate and improve the effectiveness of the Agency s risk management, controls, and governance processes. The specific statutory duties and responsibilities of the OIG according to section 20.055, Florida Statutes, includes: Assess the reliability and validity of the information provided by the Agency on performance measures, standards, and procedures for evaluating Agency programs; Assess the reliability and validity of performance measures and make recommendations for improvement; Review the actions taken by the Agency to improve program performance and meet program standards, while making recommendations for improvement, if necessary; Provide direction for, supervise, and coordinate audits, investigations, and management reviews relating to the Agency s operations; Conduct, supervise, and coordinate other activities to promote economy and efficiency or designed to prevent and detect fraud, waste, and abuse in the Agency; Keep the State CIO and the Chief Inspector General informed concerning fraud, waste, abuse, and deficiencies in programs and operations administered or financed by the Agency, recommend corrective action, and report on the implementation of the corrective action; Ensure effective coordination and cooperation between the Auditor General, federal auditors and other government bodies, with a view toward avoiding duplication; Review, as appropriate, Agency rules and make recommendations relating to their impact; Ensure that an appropriate balance is maintained between audits, investigations, and other accountability activities; and Comply with the General Principles and Standards for Offices of Inspector General as published and revised by the Association of Inspectors General. S-1718-16 Page 2
Organizational Profile To carry out the duties and responsibilities of the OIG, the inspector general is under the general supervision of the agency head for administrative purposes, and reports to the Chief Inspector General within the Executive Office of the Governor. At the end of the 2016-2017 fiscal year, there was one professional/technical staff person appointed to the office, the agency inspector general. Staff Qualifications The inspector general has background and experience in a variety of disciplines in both the public and private sectors. These disciplines include accounting, auditing, program evaluation, and management. She possesses professional certifications and participates in a number of professional organizations. Below is a summary of certifications and professional organizational affiliations maintained by the inspector general: Professional certifications held include: Certifications Certified Information Systems Auditor (CISA) Certified Inspector General (CIG) Certified Inspector General Auditor (CIGA) The inspector general is affiliated with: Professional Organization Affiliations The Association of Inspectors General ISACA The Institute of Internal Auditors, Inc. Florida Chapter, Association of Inspectors General Tallahassee Chapter, ISACA Tallahassee Chapter, The Institute of Internal Auditors, Inc. Continuing Professional Education and Development The inspector general has a personal responsibility to achieve and maintain the level of competence required to perform the respective duties and responsibilities of the office. The S-1718-16 Page 3
inspector general stays current with trends in internal auditing and investigations to maintain professional proficiency through the membership in these various professional organizations. As required by statute, the OIG performs work in accordance with the International Standards for the Professional Practice of Internal Auditing, as published by The Institute of Internal Auditors, Inc. and/or Principles and Standards for Offices of Inspector General, published by the Association of Inspectors General. These standards require staff to maintain proficiency through continuing professional education and training. The required training hours are met by participating in professional affiliation conferences, webinars, and luncheons. Investigations Major Functions within the Investigations is responsible for management and operation of administrative investigations designed to detect, deter, prevent, and/or eradicate fraud, waste, mismanagement, misconduct, and other abuses involving the Agency s employees, contractors, and vendors. Investigations are conducted in accordance with the Principles and Standards for Offices of Inspector General, published by the Association of Inspectors General. Investigations are usually the result of a complaint or inquiry. Inquiries and complaints regarding Agency activities may be received from many sources, including: Whistle-blower s Hotline, Office of the Chief Inspector General, Executive Office of the Governor, Agency employees, and Others doing business with the agency. A thorough fact-finding investigation determines whether an alleged violation of law, rule, or policy actually occurred. These investigations may include witness(es) and subject interviews, review of documentation, and observations. Allegations are proved, by a preponderance of the evidence. An investigative report is published for all opened investigations and Agency management may use the report for disciplinary or corrective action. When the inspector general receives a complaint without enough specificity to determine whether an investigation should be opened, but it appears serious enough, a preliminary S-1718-16 Page 4
review is conducted in an attempt to acquire additional facts. If enough information in gathered, then the preliminary inquiry may result in an investigation. Internal Audit Internal Audit performs independent, objective audits, reviews, and examinations to provide management with information on the adequacy and effectiveness of the Agency s internal controls and the economy, efficiency, and effectiveness of the Agency programs, activities, and functions. Additionally, the reports identify, report, and recommend corrective actions to improve the Agency s services, activities, and functions. Audits, reviews, and examinations are performed in accordance with the International Standards for the Professional Practice of Internal Auditing, as published by The Institute of Internal Auditors, Inc. These standards provide a framework for ensuring independence, objectivity, and due professional care in the performance of internal audit work. To ensure adequate coverage of the many Agency activities and to support management, internal audit conducts a risk assessment to create an annual audit plan. The assessment ensures that the inspector general is responsive to management s concerns and that those activities with the greatest risks are identified and scheduled for review. However, the State CIO or Chief Inspector General may request the inspector general to perform an audit or review of a program, function, or organizational unit. Additional functions of internal audit are as follows: Conduct Performance Audits to ensure effectiveness, efficiency, and economy of Agency services; Provide Management Assistance Services to advise management on emerging issues and concerns; Coordinate Audit Responses and conduct Follow-up Audits to findings and recommendations made internally by the inspector general or externally by the Auditor General, Office of Program Policy Analysis and Government Accountability (OPPAGA), and other oversight units; Coordinate customer External Audit Requests and responses; and Assist management in the development of Performance Measures and assess the reliability and validity of the Agency s information on performance measurement and standards. S-1718-16 Page 5
Accomplishments During Fiscal Year 2016-2017, the inspector general accomplished the following work: Activity Quantity Complaints Received and Reviewed 10 Investigations Completed 1 External Audits Coordinated 10 Customer s External Audits Coordinated 8 Agency External Audit Findings Reviewed and 9 Closed Performance Audit Completed 0 To accomplish these activities, the inspector general s time resources are shown in the following chart: Administrative Activities 26% TIME RESOURCES Training 7% Audit Activities 40% Leave 16% Investigative Activities 11% Summary of Projects Audit Activities During the fiscal year the inspector general did not issue any audit reports that were consistent with the International Standards for the Professional Practice of Internal Auditing, as published by The Institute of Internal Auditors, Inc. S-1718-16 Page 6
Follow-up to Open Audit Findings and Recommendations The inspector general reviewed and conducted follow-up audit work on reports issued by the Auditor General. These reviews included follow-up on 21 open audit findings and remediation was completed for nine. The inspector general completed the work on the following issued Auditor General reports: State Data Center Operations - Report No. 2017-087 Comprehensive Risk Assessments at Selected State Agencies - Report No. 2017-004 State of Florida Compliance and Internal Controls Over Financial Reporting and Federal Awards - Report 2016-159 State of Florida Compliance and Internal Controls Over Financial Reporting and Federal Awards - Report 2015-166 Investigation Activities Investigative Report I-1516-27 The inspector general received a complaint that a contractor hired by the Agency had allegedly recorded meetings without the meeting attendees knowledge. Based on the allegation, the case was referred to the Florida Department of Law Enforcement (FDLE) for criminal review. After FDLE finished the case, they found no information to support the criminal allegation. Investigative Report I-1617-22 The inspector general received a complaint alleging that an employee did not provide a truthful and accurate accounting of time worked on their timesheet and was using a state issued phone for personal business without reimbursing the state. During the preliminary investigation, the employee resigned from the Agency and the inspector general closed the investigation. Prior to the employee s resignation the employee reimbursed the state for the personal use of the telephone and corrected the timesheet errors. Other Items Computer Security Incident Response Team The inspector general is also required to serve as a member of the Computer Security Incident Response Team (CSIRT) for the Agency. CSIRT is a response unit that performs functions in regard to mitigating and investigating apparent information security incidents to minimize damage to the agency s computer systems, networks, and data. S-1718-16 Page 7
Customer Audit and Investigation Coordination The inspector general is the central point of contact for customers to contact when they have a need for external or internal audit support. During the fiscal year the following agencies requested help or coordination with audits between the Agency and their external auditors: Department of Children and Families Department of Economic Opportunity Department of Revenue Department of Transportation Department of Highway Safety and Motor Vehicles Department of Health As part of the customers external audit coordinations, the inspector general provides initial responses and remediation updates. During the 2016-2017 fiscal year, the inspector general coordinated updates to over 300 issues, security control settings, findings, and recommendations. Research and Analysis for Legislative Session During the 2017 Legislative Session, Agency executive staff requested the inspector general to provide an analysis and comparison of similar audit findings issued by the Auditor General to the State Data Center and other state agencies. The analysis was used as information during discussions with legislators and their staff. Annual and Long-term Work Plans Section 20.055(5)(i), Florida Statutes, requires that annual and long-term audit plans be developed based on the findings of periodic risk assessments. The purpose of developing the Annual Work Plan is to identify, select, and plan the allocation of resources for the upcoming year, based on the assessment. The overriding consideration during the development of the annual plan is to provide the greatest benefit to the Agency with the OIG s very limited resources. Annual Work Plan State CIO Larson approved the Annual Work Plan, on September 25, 2017. The 2080 hours available for the fiscal year are allocated in the chart as follows: S-1718-16 Page 8
Work Plan for Fiscal Year 2017-2018 Audit Activities Hours ISO/IEC 20000 Internal Review 100 Continuity of Operations Planning Audit (Continuation from last year) 90 Contract Management Audit 120 Performance Measure Review 10 External Audit Coordination 220 Audit Follow-up Activities 225 Enterprise Projects (Requested by the Chief Inspector General) 200 Subtotal 965 Investigation Activities Hours Complaint Intake, Preliminary Inquiries, and Investigations 200 Internal Reports Hours Annual Risk Assessment and Work Plan for FY 2017-2018 50 Annual Risk Assessment and Work Plan for FY 2018-2019 40 Annual Report 30 Audit Charter Updates 10 Schedule IX Major Audit Findings and Recommendations 10 Quarterly Legislative Reporting 60 Subtotal 200 Office Management Hours Administrative Duties 250 Update Policies and Procedures 30 Public Records Requests 5 Subtotal 285 Training Hours Professional Training 60 Staff Development 10 Subtotal 70 Holiday and Leave Hours Annual Leave 176 Sick Leave 104 Holiday 80 Subtotal 360 Total Hours Available 2,080 S-1718-16 Page 9
Long-term Work Plan For fiscal years 2018-2019 and 2019-2020, the OIG plans to ensure that provided services will be of the most benefit to the Agency. The goal is to achieve and maintain an appropriate balance between audit, investigation, and other accountability activities. If the OIG continues to only have a single person, the OIG will continue to have 2,080 hours available for projects during the 2018-2019 and 2019-2020 fiscal years. Therefore, the OIG would expect to expend the available hours in the following activities: Long-term Work Plan Activity Hours Audit Activities 965 Investigation Activities 200 Internal Reports 200 Office Management 285 Training 70 Holiday and Leave 360 Total Available Hours 2,080 However, the long-term plans are subject to change based on the results of the periodic risk assessment and to be responsive to the concerns of both the State CIO and Chief Inspector General. S-1718-16 Page 10
2585 Shumard Oak Blvd. Tallahassee, Florida 32399 Office (850) 412-6022 http://www.ast.myflorida.com/inspectorgeneral.asp